Appears in Proceedings, Third IEEE International Symposium on Requirements Engineering (RE'97), January 5-8th, 1997, Annapolis, Maryland, USA. ## Formal Methods for V&V of partial specifications: An experience report Steve Easterbrook and John Callahan {steve,callahan}@cs.wvu.edu NASA/West Virginia University Software IV&V Facility 100 University Drive Fairmont, WV 26554 ## Abstract This paper describes our work exploring the suitability of formal specification methods for independent verification and validation (IV & V) of $\begin{array}{c} \text{ment teams.} \\ \text{In section 2,} \end{array}$ ${\rm IV\&V}$ contractor $\,$ as less access to t e development team t an is ideal. | | C&C MDM acting as t e bus controller Detection of transaction errors in two consecutive processing frames errors are on selected messages t e RT's 1553 FDIR is not in ibited | | T | $egin{array}{c c} T & T & T \\ \hline T & T & T \\ \hline T & T & T \\ \hline \end{array}$ | |-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|--------|--------------------------------------------------------------------------------------------| | A<br>N<br>D | A backup BC is available T e BC as been switc ed in t e last 20 seconds T e SPD card reset capability is in ibited T e SPD card as been reset in t e last 10 major (10 second) frames | T | T<br>T | | | | T e transaction errors are from multiple RTs T e current c annel as been reset wit in t e last major frame | $\frac{T}{T}$ | F | T T | tant in tracing problems back to t e informal specification, and in convincing t e development team t at t ere really is a problem. T e first step was to produce an SCR model of t e specified FDIR be avior. At t is stage we | Current | Conditions | | | | | | | | Next | | | | |---------|----------------|---------------|-----------------|---------------|-----------------|---------------------|--------------|----------------|-----------------|-----------------|-----------------|-----------------| | Mode | errors | bus | bus | bus | backup | BC | $_{ m card}$ | card | errors | $_{ m channel}$ | channel | $\mathbf{Mode}$ | | | in two | swch'd | switch | swch'd | BC | swch'd | reset | reset | $_{ m from}$ | reset | reset | | | | cons. | last | inhibit | $_{ m this}$ | avail. | in last | inhibit | last 10 | $_{ m mult.}$ | last | inhibit | | | | $_{ m frames}$ | $_{ m frame}$ | | $_{ m frame}$ | | $20 \mathrm{sec}$ | | $_{ m frames}$ | RTs | $_{ m frame}$ | | | | Normal | @T | - | - | F | - | - | - | - | - | - | - | switch buses | | | @T | - | T | F | - | - | - | - | - | - | F | reset the | | | @T | $\mathbf{T}$ | - | F | - | - | - | - | - | - | F | $_{ m channel}$ | | | @T | - | - | - | - | - | F | F | Т | Т | - | reset the | | | @T | - | - | - | - | - | F | F | $\mathbf{T}$ | F | $\mathbf{T}$ | $_{ m card}$ | | | @T | Т | - | - | - | - | - | - | F | Т | - | switch RT | | | @T | $\mathbf{F}$ | T | - | - | - | - | - | F | $\mathbf{T}$ | - | to backup | | | @T | $\mathbf{T}$ | - | - | - | - | - | - | F | F | $\mathbf{T}$ | | | | @T | F | $^{\mathrm{T}}$ | - | - | - | - | - | F | F | $\mathbf{T}$ | | | i i | @T | - | - | - | $^{\mathrm{T}}$ | F | Т | - | T | Т | - | switch BC | | | @T | - | - | - | $\mathbf{T}$ | F | Т | - | $^{\mathrm{T}}$ | F | $^{\mathrm{T}}$ | to backup | | | @T | - | - | - | $\mathbf{T}$ | F | - | $\mathbf{T}$ | $^{\mathrm{T}}$ | $\mathbf{T}$ | - | | | | @T | - | - | - | $\mathbf{T}$ | F | - | T | $\mathbf{T}$ | F | $\mathbf{T}$ | | | | @T | - | - | - | $^{\mathrm{T}}$ | Т | Т | - | T | Т | - | switch | | | @T | - | - | - | $\mathbf{T}$ | Т | Т | - | $^{\mathrm{T}}$ | F | $^{\mathrm{T}}$ | all RTs | | | @T | - | - | - | $\mathbf{T}$ | $\mathbf{T}$ | - | Т | T | ${f T}$ | _ | | | | @T | - | - | - | $\mathbf{T}$ | $\mathbf{T}$ | - | Т | T | F | $\mathbf{T}$ | | Table 2: An SCR Mode transition table. Eac of t e central columns represents a condition, s owing w et er it s ould be true or false; '-' means "don't care"; '@T' indicates a trigger condition for t e mode transition. T e four columns of table 1 correspond to t e last four rows of t is table. T e semantics of SCR require t is table to represent a function, so t at t e disjunction of all t e rows covers all possible conditions (coverage), and t e conjunction of any two rows is false (disjointness). t at it leads to, but also for t e removal of ambiguities and for improved understanding. For t is benefit, it is t e process of formalization, rat er t an t e end product t at is important. T e fidelity problem is really a special case of a more general problem: management of consistency between partial specifications expressed in different notations. For instance, t e AND/OR tables ave a clear relations ip wit t e SCR mode tables, but if we make a correction to one of t e AND/OR tables, it is fairly tedious to identify t e corresponding correction in t e SCR tables. Similarly, eac time t e developersolsischeraconomic timfoynballs [readint]/2002/0100/BOTd[(cens)iti599973619000/HOToUt/Harrif1997(8cafic9.1date74020Td('-')Tj11.00 t e assorted partial specifications drawn from different continuing t e experiments described in t is paper by examining ow model c ecking can be used to validate t e specifications. ## Acknowledgments Our thanks are due to Chuck Neppach and Dan McCaugherty for many interesting discussions of the work presented here, and to Frank Schneider, Edward Addy, John Hinkle, George Sabolish, Todd Montgomery and Butch Neal for detailed comments on earlier drafts of this paper. This work is supported by NASA Cooperative Research Agreement NCCW-0040. ## References - [1] V. Basili. T e experience factory and its relations ip to ot er improvement paradigms. In Proceedings of the 4<sup>th</sup> European Software Engineering Conference, Garmish-Partenkirchen, Germany, September 1993. - [2] J. Calla an and T. Montgomery. An approact overification and validation of a reliable multicast protocol. In Proceedings of the ACM International Symposium on Software Testing and Analysis (ISSTA), January 1996. - [3] D. Craigen, S. L. Ger art, and T. Ralston. Formal met ods reality c eck: